Академический Документы
Профессиональный Документы
Культура Документы
International SEMATECH
Technology Transfer # 99113846A-ENG
SEMATECH and the SEMATECH logo are registered service marks of SEMATECH, Inc.
International SEMATECH and the International SEMATECH logo are registered service marks
of International SEMATECH, Inc., a wholly-owned subsidiary of SEMATECH, Inc.
Product names and company names used in this publication are for identification purposes only
and may be trademarks or service marks of their respective companies.
Abstract: The document provides guidance to key techniques and methods used within the semiconductor
industry for identifying and documenting environment, safety, and health (ESH) hazards and their
controls. It contains a tutorial that explains how to identify hazards, analyze hazards and controls,
document the results of an analysis, and manage residual risk. A hazards checklist and examples
of a hazard analysis are included.
Disclaimer:
This reference manual was prepared by the International SEMATECH equipment ESH council ("the
Council") as a guide for use by safety engineers and other ESH professionals when conducting a hazards
analysis of semiconductor manufacturing equipment. It contains ideas and suggestions provided by ESH
professionals within the semiconductor industry for the use of established hazards analysis
methodologies and associated protocols, including governmental and SEMI guidelines and standards. It
does not claim to be nor is it intended to be a definitive reference guide or set of requirements for the
industry.
In developing this manual, the Council attempted to address many key elements of an effective hazards
analysis plan; however, specific regulations and code compliance requirements may not have been
addressed. In the event of a conflict, compliance with legal and regulatory requirements must take
precedence over any suggestions offered by this manual. Hazards analysis professionals and their
companies retain responsibility for ensuring that their ESH programs are sound and complete and that
they meet regulatory compliance requirements regardless of whether such requirements are addressed
herein.
This document is made available "as is" and "where is" without any warranty, express or implied, made by
the Council, International SEMATECH, or any member company of International SEMATECH and said
parties further specifically disclaim liability for any losses or damages based on the contents of this
manual.
Author: Mollie Foster, James Beasley, Brett Davis, Paul Kryska, Eddie Liu, Andy McIntyre,
Mike Sherman, Brett Stringer, James Wright
Table of Contents
1 EXECUTIVE SUMMARY....................................................................................................... 1
2 TUTORIAL............................................................................................................................... 1
2.1 Hazards Identification....................................................................................................... 1
2.1.1 Data Collection ...................................................................................................... 1
2.1.2 Hazards Inventory .................................................................................................. 4
2.2 Hazards Analysis and Controls......................................................................................... 4
2.2.1 Define Scope or Boundaries of Analysis ............................................................... 4
2.2.2 Operational Phases ................................................................................................. 5
2.2.3 Operating Conditions ............................................................................................. 5
2.2.4 Unmitigated Consequence ..................................................................................... 5
2.2.5 Key ESH Controls.................................................................................................. 6
2.2.6 Barriers and Safety Features Against Hazard Propagation.................................... 7
2.2.7 Possible Release Mechanisms and/or Failure Mechanisms................................... 7
2.2.8 Consequence of Accident....................................................................................... 7
2.2.9 Likelihood of Accident .......................................................................................... 8
2.3 Documenting the Results .................................................................................................. 8
2.3.1 Description of the System Analyzed...................................................................... 9
2.3.2 Hazards Analysis Worksheet ................................................................................. 9
2.4 Managing Residual Risk................................................................................................. 11
3 USING HAZARDS ANALYSIS TECHNIQUES TO SUPPORT THE HAZARD
ANALYSIS ............................................................................................................................. 13
3.1 "What If" Analysis.......................................................................................................... 14
3.1.1 Assembling the Team........................................................................................... 14
3.1.2 Choosing a Facilitator .......................................................................................... 14
3.1.3 Assembling the Reference Materials ................................................................... 15
3.1.4 Setting the Groundrules ....................................................................................... 15
3.2 Description of the What If? Analysis .......................................................................... 15
3.2.1 Alternative Names................................................................................................ 15
3.2.2 Purpose:................................................................................................................ 16
3.2.3 Methodology ........................................................................................................ 16
3.2.4 Applications ......................................................................................................... 16
3.2.5 Thoroughness ....................................................................................................... 16
3.2.6 Mastery Required................................................................................................. 16
3.2.7 Difficulty of Applications .................................................................................... 17
3.2.8 General Comments............................................................................................... 17
3.2.9 What If? Pros and Cons ....................................................................................... 17
3.3 Failure Modes and Effects Analysis (FMEA) ................................................................ 21
3.3.1 Alternative Names................................................................................................ 21
3.3.2 Purpose................................................................................................................. 21
3.3.3 Method ................................................................................................................. 21
3.3.4 Application........................................................................................................... 22
3.3.5 Thoroughness ....................................................................................................... 22
3.3.6 Mastery Required................................................................................................. 22
3.3.7 General Comments............................................................................................... 22
List of Figures
List of Tables
Following are terms and definitions used in this guide. Effort was made to use definitions and
terms common to the industry and in the safety arena. The sources of these definitions have been
included where possible:
Hazard Analysis Identifying hazards and characterizing the risks associated with potential
mishaps arising out of the hazards.
Note 1: This term is used in the same sense in SEMI 2614d.
Note 2: This term is essentially the same as the term risk analysis as used in EN1050 and the
1991 IEC/ISO Guide 51.
Note 3: The process described by this term does not include the judgment of whether or not the
risk is acceptable, which is considered either as part of the design process or a business decision.
This judgment of acceptability of risk is known as risk evaluation in 1991 IEC/ISO Guide 51.
Risk Assessment Determining the probability of a mishap and the severity of the resulting
loss or harm.
Note 1: This term is essentially the same as SEMI 2614cs risk assessment and prEN1050s
risk estimation.
Note 2: This term is quite different from EN1050s use of the term risk assessment.
The following terms and definitions are taken from SEMI S10-1296:
Hazard A condition that is a prerequisite to a mishap.
Likelihood The expected frequency with which a mishap will occur. Usually expressed as a
rate (e.g., events per year, per product, per wafer processed).
Mishap An unplanned event or series of events that results in death, injury, occupational
illness, damage to or loss of equipment or property, or environmental damage.
Risk The expected losses from a mishap, expressed in terms of severity and likelihood.
Severity The extent of the worst credible loss from a mishap caused by a specific hazard.
The following term and definition is taken from SEMI Document 2697D:
Residual Risk That risk which remains after engineering, administrative, and work practice
controls have been implemented.
1 EXECUTIVE SUMMARY
The key factor that separates the semiconductor industry from most others is the extraordinary
rate of change in manufacturing and product technologies. This rate of change far exceeds the
rate of change of the various Environmental, Safety & Health (ESH) codes, standards, or
guidelines. As a result the semiconductor industry has set an expectation that hazards analysis be
performed in supporting several industry guidelines (e.g., SEMI S2, SEMI S8 & SEMI S10,
etc.).
The purpose of this reference is to outline key techniques and methods used within the industry
for identifying and documenting hazards and their controls. The members of the International
SEMATECH Equipment ESH Council have worked together to prepare this Hazards Analysis
Guide as a tool to industry members, including, equipment manufacturers, third parties, and
device manufacturers.
2 TUTORIAL
This section provides an overview of how to
Identify hazards associated with a system, subsystem, tool, procedure, process, or facility
during any phase
Describe the hazard in terms that clearly state the safety concern
Qualitatively describe the risk associated with a particular hazard
Specifically, the interrelated components of this overview comprise
1. Hazard identification
2. Hazards analysis and controls
3. Analysis documentation
2.1.1.1 Specifications
In the early phases of a design, functional requirements documents and specifications are likely
to provide the most comprehensive source of information. When coupled with interviews of
process and hardware engineers (see below), the analyst should be able to form a conceptual
image of the tool or process and its operation.
The analyst should also use specifications to identify the basic process performance, hazardous
energies, critical components, types of chemicals, and applications of interlocks.
2.1.1.5 Interviews
For mature systems, discussions with individuals currently using the system/components or with
field service personnel with extensive experience can also be insightful. These individuals often
develop their own set of concerns or observations about a products shortcomings as well a
description of useful features. Operators also can provide a picture of how the tool is actually
operated, the thought process that goes into troubleshooting modes, and the typical sequence of
events and duration of activities. These insights cannot typically be obtained from the design
engineers or maintenance manuals. As the new or modified design matures, analyst participation
in multi-disciplinary or cross-functional teams is essential. These teams include professionals
from related disciplines, such as the field and maintenance engineers, reliability, manufacturing,
technical publications, purchasing, supplier quality, and other product groups.
components and tracked as such through evaluation and acceptance. If the unmitigated
consequence of a hazard is considered acceptable (i.e., brief exposure to inert gas), then it
becomes the residual risk, and no further evaluation of that hazard is conducted.
2.2.5.1 Interlocks
Hardware and software interlocks are intended to interrupt a sequence of events that could lead
to an accident. Hardware interlocks are typically electrical or mechanical devices that fail-safe
in their operation. They are typically used in critical safety applications, primarily to control
hazardous energy sources. Software interlocks, while not recognized as interlocks by SEMI
S2, are often used to interrupt a process before activating a hardware interlock. In this capacity,
the hardware interlocks back-up the software interlocks.
Documenting all of the safety interlocks (both hardware and software) helps build the hazard
picture for the analyst and reviewers. Describing the interlocks within a table that lists the
interlock, the action taken, and the protection provided will allow for easy incorporation into
system manuals after the product is released.
provide those additional safety features as an option or standardize the product, thereby reducing
the number of configurations.
208 VAC, 75 lbs., etc. The consequences of exposure to these source terms can be debated, but if
everyone has a clear and agreed upon source term, it makes the discussions much more coherent.
Other SEMI documents, such as S10-96, Safety Guideline for Risk Assessment, provide
additional guidance for categorizing consequences into bins that correlate with the degree of
severity.
Describe exposure route, Indicate all existing or Qualify the consequence If risk is unacceptable,
components, phase, and planned hazard controls. and likelihood of a indicate here, describe
unmitigated consequence. bounding accident based on verification activities.
means of initiation, safety
features, and credible
consequences.
1) Flammable Gas Fire Due Control of this hazardous Accident Scenario: Hydrogen
to Leak in Foreline: event is maintained by direct is purged to the foreline,
Hydrogen is purged to the supply of nitrogen to the dry either by deliberate means
foreline, either by deliberate pump in quantities that using nitrogen or accidentally
means using nitrogen, mixing ensure the hydrogen under maximum flow
with air, and is ignited by concentration is below lower conditions due to failure
friction in the dry pump. explosive limit (LEL): (open) of V25 and V23A.
Nitrogen dilution is lost at the
Nitrogen dilution to the
purge pump and the interlock
dry pump at a rate of 2
fails to detect the loss of
slm, which ensures that
flow. This would result in the
the hydrogen
maximum consequence. A
concentration stays at or
more likely scenario is
below 5% (Per S2
hydrogen pushed through the
Application Guide,
chamber and purge nitrogen
Appendix C, part 8.2.3.1).
is lost. The H2 flow would be
Nitrogen dilution flow is limited to 100 sccm through
interlocked to the the mass flow controller.
hydrogen supply valve. Ignition of hydrogen at the
pump would likely cause
replacement of the pump.
Consequences: Moderate (III)
Likelihood: Extremely
Unlikely (C)
Risk: III-C, Low. No further
action required.
2) Flammable Gas Fire The gas box door is Accident Scenario: During Verify that the following
During Maintenance of interlocked to the maintenance, technician fails procedures are included in
Gas Box: Hydrogen is hydrogen supply valve, to LOTO the hydrogen valve the maintenance manual:
leaked from the lines V22A. before breaking the line. The a) manual purge and b)
during maintenance, supply valve fails to close, LOTO procedure.
The hydrogen supply
mixing with air and thus allowing hydrogen to
valve has lockout/tagout
ignited. flow when the line is
capability.
breached.
Consequences: Severe (II)
Likelihood: Incredible (D)
Risk: II-D, Very low. No
further action required.
Conditions due to position (hazardous location/height), Equipment damage by improper operation/handling may also
equipment (inadequate visual/audible warnings or heavy occur
lifting), or other elements that could cause injury to personnel.
Kinetic/Mechanical Energy (Acceleration) Impact
System/component linear or rotary motion. Change in Disintegration of rotating components
velocity, impact energy of vehicles, components or fluids. Displacement of parts or piping
Seating or unseating valves or electrical contact
Detonation of shock sensitive explosives
Disruption of metering equipment
Friction between moving surfaces
Material Deformation Change in physical or chemical properties; corrosion, aging,
Degradation of material due to an external catalyst (i.e., embrittlement, oxidation, etc.
corrosion, aging, embrittlement, fatigue, etc.).
Structural failure
De-lamination of layered material
Electrical insulation breakdown
Natural Environment Structural damage from wind
Conditions including lighting, wind, flood, temperature Equipment damage
extremes, pressure, gravity, humidity, etc. Personnel injury
L
Liquid compound stratification
Toxicants
Inhalation or ingestion of substances by personnel P Respiratory system damage
Blood system damage
Body organ damage
X
System/component produced energy
Loosing of parts
Chattering of valves or contacts
facilitator should also be able to draw the participation out of the team when the flow appears to
stall. The good facilitator should be more of a coach than a dictator. In any case, choosing the
right facilitator is critical to the success of the analysis.
3.2.2 Purpose:
The purpose of the What-If Analysis methodology is to identify hazards, hazardous situations, or
specific accident events that could produce an undesirable consequence. The What-If Analysis
methodology is described in more detail in the first and second references at the conclusion of
this discussion.
3.2.3 Methodology
The What-If Analysis technique is a brainstorming approach in which a group of experienced
individuals familiar with a process ask questions or
Voice concerns about possible undesired events in the process. It is not inherently structured as
some other techniques, such as the Hazard and Operability Study (HAZOP) or a Failure Mode
and Effects Analysis (FEMA) which are also presented in this section. Rather, it requires the
analysts to adapt the basic concept to the specific application.
The What-If Analysis Concept encourages an analysis team to think of questions that begin with
"What If." Through this questioning process, an experienced group of individuals identify
possible accident situations, their consequences, and existing safeguards, then suggest alternative
for risk reduction. The potential accidents identified are neither ranked nor given quantitative
implications.
The analysis team reviews the process from raw material to final product. At each step they ask
"what if" questions dealing with procedural errors, hardware failures, and software errors. The
What-If Analysis technique may simply generated a list of questions and answers about the
consequences, safeguards, and possible options for risk reduction.
The What-If Analysis uses and produces a tabular listing of narrative-style questions and
answers which constitute potential accident scenarios, their qualitative consequences, and
possible risk reduction methods. Although some What-If analyses are documented in a narrative-
style format, a matrix table makes the documentation more organized and easier to use.
3.2.4 Applications
The What-If Analysis can be applied to almost any operation or system process. It is specifically
identified as an analysis method for use in the OSHA Process Safety Management regulations
(see reference). The techniques may also be applied to contingency planning and accident
analysis.
3.2.5 Thoroughness
The degree of thoroughness in the application of the What-If Analysis methodology is directly
dependent upon team make-up and the exhaustive nature of the "what-if" questions asked. As in
the HAZOPS, a diverse team in appropriate with at least one individual identified who is familiar
with the process or operation being analyzed.
larger teams may be required for more complex processes. When a large team is required, the
process may be divided logically into smaller portions, and a subset of the team may analyze a
particular portion.
3.2.9.1 Attributes
As noted above, this technique is easy to facilitate and can be used by a team that is relatively
inexperienced in hazard analysis. The technique also provides a good qualitative analysis of the
hazards present. It should be noted, however, that this method typically works to identify only
single point failures.
3.2.9.2 Applications
This form of analysis lends itself to identifying single point failures and obvious hazards. It can
also be effective in the design review to challenge designs and protections. The semiconductor
industry has also found this technique useful in determining compliance with industry safety
requirements for single fault hazard analysis, at any point in development of equipment.
3.2.9.3 Example
Below is an example of a typical What If? analysis. The example question is developed along
with others to show the variations in application and approach.
TDEAT mechanical fitting TDEAT released into oven None Non-Compliance Level A:
(pressurized) in oven leaks. with no exhaust/spill ABC to move mechanical fitting
containment into the gas cabinet.
B. No air pressure
Cooling CDA to chamber lid Over heat shower and CDA Interlock will shut None
is... increase deposition down heaters if CDA is
A. Low lost
B. No air pressure
High air pressure to Valves would slam shut Needle valve on HVA None
loadlock/gate valves Equipment damage valves.
VAT valve does not need
protection
Lose turbo pump Process only None
High voltage on with chamber Shock and burn 100 Torr pressure switch None
open (hardware and NRTL
approved) shuts off RF.
3.3.2 Purpose
The purpose of the FMEA is to determine the results of effects of sub-element failures on a
system operation and to classify each potential failure according to its severity. Often associated
with an FMEA is an additional criticality analysis with the FMEA is referred to as the FMECA.
3.3.3 Method
1. The first step in preparing an FMEA is to define the system to be analyzed. The boundaries
of the analysis are important and should be defined. Interfaces that cross the design boundary
should be included in the analysis.
2. The analyst should obtain all necessary, available documents, including drawings,
specifications, schematics, component lists, etc., to complete the analysis.
3. The system then is divided into manageable units for analysis. Typically, a system is divided
into functional elements, such as RF, gas delivery, or data management.
4. Elements can be subdivided to piece parts if appropriate. Typically, an FMEA starts at a high
subsystem level; if unacceptable consequences are discovered, then the particular subsystem
is divided even further to identify the vulnerable link in the design.
5. The results of the analysis are recorded on a worksheet. A sample worksheet is provided as
Table 6.
6. Once the system element has been identified, the analyst then must ask if any failure of the
element will result in an unacceptable system loss. If the answer is No, then no further
analysis of the element is necessary. If the answer is Yes, then the element must be examined
further.
7. The analyst must look at the system and determine what kind of failures could occur and
what the effect of such a failure would be. Failure causes are also identified.
8. The next step is to determine what provisions are in place to detect and/or control the
consequence of a failure.
9. Failure modes are then evaluated for their magnitude of consequence and likelihood of
occurrence. This process is the risk assessment portion of the analysis. It has also been the
Criticality component in the Failure Modes and Effects Criticality Analysis (FMECA).
Current practice has led to the FMEA including the criticality or risk assessment
component within its scope.
10. By continuing in this manner of postulating the various failure modes, determining
consequences, and assigning a risk value to the failure modes, the resulting document will
provide a risk-ranked list of single point failures for the system.
11. When the analysis is complete, the analyst can then determine which failures require
additional safety features and which do not.
3.3.4 Application
The technique is universally applicable to systems, sub-systems, components, procedures,
interfaces etc. When applied to procedures, systems and the like must be sufficiently documented
or otherwise formalized to lend themselves to the necessary analysis (see Procedure Analysis).
A small interdisciplinary team is usually the most effective approach.
3.3.5 Thoroughness
Thoroughness is dictated by the following:
1. The degree to which failure modes are identified and explored
2. The degree to which effect avenues are identified and to which they are explored for each
failure mode
3. The degree to which the effects of multiple, co-existent failure modes are analyzed.
makes evaluating even complex systems easy to do. The drawbacks to the FMEA format are that
it can be very time-consuming (and expensive) and does not readily identify areas of multiple
fault that could occur. This method does not easily lend itself to procedural review as it may not
identify areas of human error in the process.
3.3.9 Applications
The FMEA can be used at the design stage to evaluate critical assemblies or processes before
hardware manufacture. Possible undesirable failure modes of a component or subsystem can be
identified for redesign or further assessment before hardware manufacture.
L E
P
M
A
X
E
25
3.4.1 Method
The first step in preparing a HAZOP is to define the system to be analyzed. Once the system is
defined, then nodes (boundaries) are selected that provide a logical breakdown of major
subsystems (or components) for examination. For example, a typical chemical vapor deposition
(CVD) process (see Figure 1) may be divided into the following nodes:
Gas panel (to process module or chamber input)
Liquid delivery system (to process module or chamber) input
Process module (to input to vacuum pump)
Vacuum pump (to input of abatement system)
Abatement system (to input of customers exhaust system)
Once the nodes are selected, the analyst should obtain all necessary, available documents,
including drawings, specifications, schematics, component lists, etc., to complete the analysis.
Piping and instrumentation drawings (PID) are critical to a thorough examination where process
piping and chemical distribution systems are part of a node(s).
A team of interdisciplinary experts should be assembled so that a competent examination of each
node is performed. For a process-intensive system, the team should be comprised of
representatives from product safety, process engineering, product development, and field service.
At the heart of the effort, the team identifies the means through which deviation from the design
intent can occur. It further determines whether these deviations, collectively or individually,
might create hazard. The team should be led by individuals serving as a facilitator and a
technical scribe. At the start of the session, the facilitator should remind the team of the analysis
boundaries and recommended nodes and ensure that this focus is kept throughout the analysis.
Steps used to examine each node include the following:
Developing the intention(s) and associated parameters (design intent) for each element.
Brainstorming deviations from the design intent (parameter) using guide word identifiers;
e.g., high, low," or none for the parameter pressure. (See Table 7 for a detailed
matrix of deviation guide words.) Once the guide word is applied, then the deviation is
identified; e.g., high pressure or low pressure.
Determining causes and consequences of the deviating elements.
Recommending effective mitigation or protection(s) to eliminate the consequences of
identified single point hazards.
Adding a column to capture comments and action items.
The results of the analysis are recorded on a worksheet. A sample hazard analysis of a CVD
system that focuses on one key node (gas panel to process module) is shown in Table 10.
3.5.7 Results
3.5.8 Assessment
The assessment revealed several design, operating, or procedural deviations that could result in
hazards. These hazards were primarily the potential for release of corrosive, pyrophoric, and
oxidizing gases and their potential incompatible reaction(s): To facilitate tracking the completion
of action items, the action items documented on the HAZOP summary tables (Table 10) are
listed below. Only an example of the gas panel node is provided.
By-pass V-13 opened Same as above Valve labeled as to correct Action: Determine bypass flow
(manual valve) position and confirm normal pump
dilution rate does not achieve
SiH4 LFL.
Flow when no By-pass V-15 fails open Same as above
flow should
occur
Valve V-14 leak-by Potential flow of incompatible Dual valve isolation required by
gases, causing reaction. (See maintenance procedure prior to
Wrong Flow, below). If opening any hazardous gas line
maintenance personnel open line,
potential exposure to flow of gas.
Low Flow Low silane flow Loss of silane supply Process quality issue only. No
rate anticipated hazard.
Reverse Silane flows to Loss of N2 supply pressure Contamination of N2 supply; Pressure transducer on N2 supply Comment: Pressure profile
Flow N2 supply and V-13 open potential reaction in other tools line is observed prior to operation prevents unless by-pass open
if this is not dedicated supply. (manifold connection down-
stream of MFC, so flow is sub-
atmospheric)
Silane flows to Recipe error Cross-contamination of process Interlock on final valves (V-7, V-
NF3 or PH3 gas supply; potential reaction. 14) prevents flow of both gases
supply simultaneously
Wrong Silane flows at Controller error Potential flow of incompatible Interlock on final valves (V-7, Action: Confirm interlocks are
wrong time Recipe error gases, causing reaction. However, V-14) prevents flow of both hardware, not firmware
gases would mix at gases simultaneously (hardware requiring software
subatmospheric pressure, so Pressure interlock disallows gas control)
reaction is reduced. flow to chamber unless sub-
atmospheric pressure
Guide
Parameter Word Deviation Cause(s) Consequence(s) Protection Comments/Action
Flow of NF3 or High High process gas MFC failure Potential un-reacted process gas Dilution at pump discharge sized
PH3 flow rate through chamber to vacuum for silane, so more than adequate
pump. PH3 additional flow may for MFC failed flows of other
cause phosphorus buildup, process gases
requiring additional maintenance
and associated hazards.
Low Flow Low process gas Loss of supply Process quality issue only. No
flow rate anticipated hazard.
Guide
Parameter Word Deviation Cause(s) Consequence(s) Protection Comments/Action
Enclosure Exhaust No No exhaust flow Exhaust system failure Same as above Emergency Notification System
Flow at enclosure shuts down gas flow at the
source.
Low Insufficient Incorrect damper position Same as above Observation of magnehelic Action: Consider photohelic with
exhaust for required on daily rounds notification of low flow to
capture replace magnehelic gauge.
Exhaust Fan/Scrubber Room Air
Sample Point
Gas Cabinet Pre-treatment
Sample Point Process Tool
Sample Point
vent line
Secondary Containment
Process Tool
Seismic
Shutdown valve Sensor
Purge Assembly
Fire Alarm EPO
EPO
Process gas
w/ RFO
Controller
Purge gas
0.00 ppm
Gas Monitor
4 REFERENCES
Mahn, J.A et al., Qualitative Methods for Assessing Risk, Document Number SAND95-0320,
Sandia National Laboratories (May 1995).
Gertman, David I. and Blackman, Harold S., Human Reliability and Safety Analysis Data
Handbook, John Wiley and Sons, Inc (1994).
Stephans, Richard A and Talso, Warner W, editors, System Safety Analysis Handbook, System
Safety Society (1996).
Howard, Hillard H. et al., Guidance for the Preparation of Safety Analysis Reports, Document
number LA-11661-MS, Los Alamos National Laboratory (June 1990).
Parker, Richard and Foster, Mollie, Design for ESH Semiconductor Industry, NSC (1999).
Hazard Analysis and Risk Assessment, Novellus Systems Incorporated ISO procedure SAF-
2002b (April 1999).
Department of Energy, DOE/EH-DRAFT, "Preliminary Guide for Conformance with OSHAs
Rule for Process Safety Management of Highly Hazardous Chemicals," March 1993.
Department of Energy, DOE/EH-DRAFT, Guide for Chemical Process Hazardous Analysis,
March 1993.
Department of Labor, 29 CFR 1910.119, Process Safety Management, July 1992.
Guidelines for Hazardous Evaluation Procedures, Center for Chemical Process Safety, AIChE,
1992.
http://www.sematech.org
e-mail: info@sematech.org